Difference between revisions of "CTF-practice-evening:2014-07-07"

From Technologia Incognita
Jump to: navigation, search
 
(11 intermediate revisions by the same user not shown)
Line 16: Line 16:
  
 
= Pwnium CTF Retrospective =
 
= Pwnium CTF Retrospective =
 +
 +
* Link to Dimitris' Etherpad
 +
** https://pad.riseup.net/p/7fe081c3612b3dbd33ff954fe378826d
 +
 +
* Link to download the challenges:
 +
** https://pad.riseup.net/redirect#https%3A//t.co/0IW2JAehKR
 +
 +
== Walk throughs ==
  
 
* Dimitris is discussing the challenges solved by Team Knuffelhackers in the Pwnium CTF last weekend
 
* Dimitris is discussing the challenges solved by Team Knuffelhackers in the Pwnium CTF last weekend
* Kernel land: you needed to single step through the "ticks" and examine the flag variable in memory at Tick 3
+
* Kernel land (150 points):  
 +
** Static binary - Dimitris loaded it into QEMU
 +
** When he runs it it produces ticks - the hint: the flag is on the 3rd ticket
 +
** He added a debugger to the VM
 +
** He put a breakpoint on timer tick - and there's also a variable called 'flag'
 +
** He needed to add the symbols to GDB
 +
** He single stepped through the "ticks" , through the 3rd tick, and then examine the flag variable in memory at Tick 3
 +
* USB is fun (100 points):
 +
** We're given a pcap file with a USB transaction
 +
** He was able to find the flag just by running strings on it!
 +
* Look closer (50 points)
 +
** We got a rar file that is actually a jpeg
 +
** If you look at the jpg file, you can see the flag
 +
* Break me (100 points)
 +
** Dimitris base 64 decoded it - it's a bzip2 file
 +
** Dimitris decompressed it w/ bunzip
 +
** This gave the flag value
 +
* So basic (75 points)
 +
** He is given a zip file containing 2 byte strings
 +
** Each of these hashes represents a number 1-40
 +
** He wrote a bash script that puts these things in order
 +
** It's a chain of MD5 hashes
 +
** If it's present in the directory, you copy this to flag.txt
 +
** If you hex decode this (i.e. in Python) then you get the flag value
 +
* Altered code
 +
** We're given a main.c file with some computations, rotations, and a secret code
 +
** He noticed 2 places where indentation was broken (somebody had modified the files)
 +
** He commented these lines out, and then the program gave the flag when run
 +
* ROT (300 points)
 +
** A URL and port # gave a base 64 string, it expected an answer for about 5 seconds, and then closed down
 +
** If he decodes the string, it gives you a string - but you only have 5 seconds to extract the text and submit it as a flag!
 +
** He started looking into image transformations w/ Python
 +
** He used Python to clean up the image - then he needed OCR to extract the text
 +
** He converted the image to black and white
 +
** He was using an OCR program called "cuneiform"(?)
 +
* Baybe crackme
 +
** You get the flag by adding an arbitrary command line parameter
 +
* Find the owner:
 +
** This binary was connecting to a Tunesian government website
 +
** He concatenated the ip address and port, and that was a flag
 +
* Be a robot
 +
** Buffer overflow - jump to a function - get a shell from there
 +
** Dimitris solved it locally but not remotely
 +
 
 +
* Esoteric programming language used in one of the challenges: http://compsoc.dur.ac.uk/whitespace/
 +
** Another (unrelated) esoteric programming language: http://www.dangermouse.net/esoteric/hq9plusplus.html

Latest revision as of 18:55, 7 July 2014

CTF-practice-evening:2014-07-07
Date 2014/07/07
Time
Location ACTA
Type Workshop
Contact Melanie

Capture The Flag evening - Part 21

  • 7 July, 2014 - 7 PM
  • Please bring along a laptop with you!!!

General CTF Info

Pwnium CTF Retrospective

Walk throughs

  • Dimitris is discussing the challenges solved by Team Knuffelhackers in the Pwnium CTF last weekend
  • Kernel land (150 points):
    • Static binary - Dimitris loaded it into QEMU
    • When he runs it it produces ticks - the hint: the flag is on the 3rd ticket
    • He added a debugger to the VM
    • He put a breakpoint on timer tick - and there's also a variable called 'flag'
    • He needed to add the symbols to GDB
    • He single stepped through the "ticks" , through the 3rd tick, and then examine the flag variable in memory at Tick 3
  • USB is fun (100 points):
    • We're given a pcap file with a USB transaction
    • He was able to find the flag just by running strings on it!
  • Look closer (50 points)
    • We got a rar file that is actually a jpeg
    • If you look at the jpg file, you can see the flag
  • Break me (100 points)
    • Dimitris base 64 decoded it - it's a bzip2 file
    • Dimitris decompressed it w/ bunzip
    • This gave the flag value
  • So basic (75 points)
    • He is given a zip file containing 2 byte strings
    • Each of these hashes represents a number 1-40
    • He wrote a bash script that puts these things in order
    • It's a chain of MD5 hashes
    • If it's present in the directory, you copy this to flag.txt
    • If you hex decode this (i.e. in Python) then you get the flag value
  • Altered code
    • We're given a main.c file with some computations, rotations, and a secret code
    • He noticed 2 places where indentation was broken (somebody had modified the files)
    • He commented these lines out, and then the program gave the flag when run
  • ROT (300 points)
    • A URL and port # gave a base 64 string, it expected an answer for about 5 seconds, and then closed down
    • If he decodes the string, it gives you a string - but you only have 5 seconds to extract the text and submit it as a flag!
    • He started looking into image transformations w/ Python
    • He used Python to clean up the image - then he needed OCR to extract the text
    • He converted the image to black and white
    • He was using an OCR program called "cuneiform"(?)
  • Baybe crackme
    • You get the flag by adding an arbitrary command line parameter
  • Find the owner:
    • This binary was connecting to a Tunesian government website
    • He concatenated the ip address and port, and that was a flag
  • Be a robot
    • Buffer overflow - jump to a function - get a shell from there
    • Dimitris solved it locally but not remotely